# Cluster topology for the unibus 3-node deployment (issue 0006g). # # This file is SOURCED by generate-cluster-certs.sh and deploy-cluster.sh. # # HUMAN: fill in every with the real value before running the # scripts. The public IPs known at authoring time are pre-filled; the WireGuard # mesh IPs and magnus's public IP must be supplied. The scripts refuse to run # while any remains. # Cluster identity (must be identical on every node). CLUSTER_NAME="unibus" # Route-secret username; the password is NOT here — it lives in a file (see # CLUSTER_PASS_FILE in deploy-cluster.sh) so it never lands in argv or git. CLUSTER_USER="unibus-cluster" # KV/nonce replication factor. START AT 1 for the initial 1->3 rollout, then raise # to 3 IN PLACE (see README "Scale to R3") once all three nodes have joined. Only # set this to 3 here after the third node is up and you re-run the KV update. KV_REPLICAS=1 # Ports (same on every node; the route port is server-to-server only). NATS_CLIENT_PORT=4250 NATS_ROUTE_PORT=6250 HTTP_PORT=8470 # Remote install layout and SSH login user. REMOTE_DIR="/opt/unibus" SSH_USER="root" # Which address family the inter-node routes use. "wg" builds --routes from the # WireGuard mesh IPs (private server-to-server links, preferred); "public" uses # the public IPs. The route layer is always mutual-TLS regardless. ROUTE_NETWORK="wg" # One row per node: NAME SSH_HOST PUBLIC_IP WG_IP # NAME -> --server-name and the per-node cert filenames (unique). # SSH_HOST -> the `ssh ` alias (see ~/.ssh/config). # PUBLIC_IP -> public address; goes in the cert SANs (client-facing data plane). # WG_IP -> WireGuard mesh address; cert SAN + route target when ROUTE_NETWORK=wg. CLUSTER_NODES=( "magnus magnus " "homer homer 141.94.69.66 " "datardos dd 51.91.100.142 " )